0

Situation

I have an ESXi Server hosting multiple VMs, including one for each pfSense, Varnish and Tomcat. They are configured like the following:

  1. pfSenseVM (Firewall, IP=10.0.0.1)

    • NAT Rules from port 80 to VarnishVM:80 and port 443 to VarnishVM:443
    • webConfigurator listens on port 443
    • webConfigurator is not accessible from outside
    • has installed a default SSL Certificate with CN=Common Name (eg, YOUR name) under System > Cert Manager

  2. VarnishVM (Proxy, IP=10.0.0.2)

    • Routes requests for my.domain.com:443 to the backend Tomcat:8443

  3. TomcatVM (Application Server, IP=10.0.0.3)

    • connector in server.xml listens on port 8443
    • self signed certificate mported in keystore used by above connector
    • the self signed certificate has the CA CN=*.domain.com

Problem

It seems that I receive the wrong certificate (CN=Common Name (eg, YOUR name)).

  • When I enter https://my.domain.com in a browser, it keeps loading and after a few tries I see in Firebug that the request was aborted. The varnishlog shows a timeout.
  • When I call a wget https://my.domain.com from the TomcatVM, the received certificate is the one installed in pfSense and is not working because of the certificates' CN. I believe that this is the key.
  • When I call a wget https://localhost:8443 from the TomcatVM, the received certificate is the one installed in the Java keystore, which is correct but obviously not working because localhost does not match *.domain.com

Why do I receive the wrong certificate? I can only assume that I need to configure the webConfigurator from pfSense to listen on a different port. If that's correct, how would I do that?

UPDATE

I have now a Pound instance (PoundVM) and got webConfigurator to sit on a different port.

  • pfSense now has a NAT rule from port 443 to PoundVM:443 (replacing the one to VarnishVM:443
  • PoundVM (IP=10.0.0.4)
    1. Pound listens on port 443 and is configured like this

It still does not work. Firebug still shows "Aborted" and I can't see any log messages from Pound.

I should also note that the (self-signed) certificate was created on the TomcatVM using OpenSSL (as .crt) and imported to the Java keystore. I then copied that and the private key to PoundVM and created a .pem file using this guide. The Cert value in the Pound config points to this file. Is that correct?

UPDATE 2

I made a copy paste error in the Pound config, the address on which the HTTPS listener listens is now 10.0.0.4 instead of 127.0.0.1 and Pound can be reached from outside. It now gives me an HTTP 414: Request URI too long, alltough the requested URI is about 200 characters long. I found that I can configure the MAXBUF when compiling pound. But I installed it using apt... Nevertheless I find the 414 strange because the URI is https://my.domain.com/some/path/that/is/certainly/not/1024/bytes/long

UPDATE 3

I got It working now by redirecting to Tomcat's HTTP port instead of HTTPS. Pound is new to me and I thought I could redirect the encrypted request to Tomcat.

Community
  • 1
thobens
  • 103
  • 1
  • 6
  • It seems that when I change the port of pfSenses' webConfigurator, I cannot reach behind it. At least varnish does not log anything on port 443 – thobens Oct 01 '14 at 20:11

1 Answers1

2

webConfigurator is sitting on port 443, and so is your NAT. You can't have it both ways. You mentioned that moving webConfigurator still doesn't allow this to work; my guess is that pfSense has some special magic applied to port 443 to restrict admin access. You can either disable this magic, or do the much easier option and either run the NAT against a different port or a different IP. Of the two, a separate port is probably much, much easier. Let's say you picked 8443 (for consistency with the Tomcat server). You'd then access the site by https://my.domain.com:8443.

Now, all that said, you didn't explain how it is that you are decoding SSL here. Varnish isn't going to work for SSL traffic. Thus, even once you get this working it... won't work. So you either need to fill out your explanation a bit more, or rethink/eliminate your use of Varnish. One common solution I've seen is the use of a dedicated SSL decoding proxy, like Pound, in front of Varnish.

See also the "Why No SSL" FAQ on Varnish's website.

BMDan
  • 7,129
  • 2
  • 22
  • 34
  • I managed to get webConfigurator working on a different port, and everything works except HTTPS. I read that Varnish isn't able to cache SSL encrypted traffic, which is fine with me. SSL traffic is decrypted on the tomcat server directly. I just need Varnish to route the traffic through depending on the requested domain. Of course, it is used as a cache where possible. Isn't Varnish capable of passing through SSL encrypted traffic at all? – thobens Oct 03 '14 at 18:05
  • No; Varnish doesn't speak SSL. It must be plain HTTP when it reaches Varnish (notwithstanding the `CONNECT` verb, but even that is HTTP, albeit weird HTTP). The most common approach is to use something like Pound or nginx to unwrap the SSL off of the HTTP before it hits Varnish. I've added a relevant link to my answer, above. – BMDan Oct 06 '14 at 21:28
  • 1
    Thanks for your answers and your time, it helped me to learn something more about HTTPS in general and to solve my problem in particular :) – thobens Oct 07 '14 at 20:54